<div dir="ltr">Hi Daniel,<div> Thanks for the Explanation ! the first reply gave an impression, that i dint give the required info. Hence Re-clarified, Point Noted !</div><div>Regards,</div><div>Mahesh.B</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 6, 2020 at 4:48 PM Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com">miconda@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello,</p>
<p>do not put a lot of extra information which is irrelevant for the
issue that you try to solve. It is waste of time for someone to
read it, understand and discover is not related to what has to be
solved. I asked a question to clarify something and you replied to
it with a lot of irrelevant details (I + II).</p>
<p>If you want to post informative details for particular working
scenarios to let other know the technical details in case someone
wants something similar, that's good and useful, but make them
separate emails.</p>
<p>The server profile is matched by IP if you define a section with
[server:IP...] and there is no SNI. If you want SNI only in some
cases, you can define [server:any] with server_name attribute. The
server:default is selected only when there is no IP/port or SNI
match.<br>
</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>On 06.01.20 12:07, mahesh b wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Daniel,
<div><br>
</div>
<div>i) Kamailio acting as client ( IP 10.211.160.176) ->
Kamailio acting as server ( IP 10.211.160.172) <b><u>[
Scenario 1 : Working as Expected ]</u></b></div>
<div><br>
</div>
<div> sni presented by 10.211.160.176 is <a href="http://btip.172.com" target="_blank">btip.172.com</a>
in client hello, 10.211.160.172 picks below profile with
server_name = <a href="http://btip.172.com/" target="_blank">btip.172.com</a> for tls handshake <b><u>//
working as expected</u></b></div>
<div><br>
</div>
<div> [server:<a href="http://10.211.160.172:5061/" target="_blank">10.211.160.172:5061</a>]</div>
method = TLSv1+<br>
verify_certificate = yes<br>
require_certificate = yes<br>
private_key =
/root/mahesh_openssl/profile2/btip_172_server_private.key<br>
certificate =
/root/mahesh_openssl/profile2/btip_172_server_public.crt<br>
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
server_name = <a href="http://btip.172.com/" target="_blank">btip.172.com</a>
<div><br>
<div>ii) Kamailio acting as client ( IP 10.211.160.163) ->
Kamailio acting as server ( IP 10.211.160.172) <b><u>
[ Scenario 2 : Working as Expected ]
</u></b></div>
<div><br>
</div>
<div>
sni presented by 10.211.160.163 is <a href="http://ctip.172.com" target="_blank">ctip.172.com</a>
in client hello, 10.211.160.172 picks below profile with
server_name = <a href="http://ctip.172.com/" target="_blank">ctip.172.com</a> for tls handshake
<b><u>// working as expected</u></b></div>
<div> </div>
<div> [server:<a href="http://10.211.160.172:5061/" target="_blank">10.211.160.172:5061</a>]</div>
method = TLSv1+<br>
verify_certificate = yes<br>
require_certificate = yes<br>
private_key =
/root/mahesh_openssl/profile1/ctip_172_server_private.key<br>
certificate =
/root/mahesh_openssl/profile1/ctip_172_server_public.crt<br>
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
server_name = <a href="http://ctip.172.com/" target="_blank">ctip.172.com</a></div>
<div><br>
<div>iii) Kamailio acting as client ( IP 10.211.160.175) ->
Kamailio acting as server ( IP 10.211.160.172) <b><u>
[ Scenario 3 : Not Working as Expected ]
</u></b><br>
</div>
</div>
<div><br>
</div>
<div>10.211.160.175 is <b>intentionally</b> <b>configured</b>
in such a way, it does not send sni in client hello to
10.211.160.172</div>
<div>Now 10.211.160.172 should pick server default profile for
tls handshake [ Right ?? ]</div>
<div>Instead it is picking server profile with server_name = <a href="http://ctip.172.com/" target="_blank">ctip.172.com</a> // <b><u>isnt this
in correct ?? [ I have explained in previous email , why
it is picking this profile in tls_lookup_cfg() ]</u></b></div>
<div><b><u><br>
</u></b></div>
<div>Regards,</div>
<div>Mahesh.B</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Jan 6, 2020 at 3:21 PM
Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello,</p>
<p>trying to understand properly what you want to do and
doesn't work as expected ...</p>
<p>Is it that kamailio connects via tls to another server
and it does not present SNI?</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div>On 03.01.20 11:24, mahesh b wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Am using Kamailio 5.1.9 version.</div>
<div><br>
</div>
<div><u>Below is my tls.cfg</u></div>
<div><br>
</div>
<div>[server:default]<br>
method = TLSv1+<br>
verify_certificate = no<br>
require_certificate = no<br>
private_key = server.key<br>
certificate = server.crt<br>
ca_list = bundle.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
<br>
[client:default]<br>
verify_certificate = no<br>
require_certificate = no<br>
<br>
<br>
[server:<a href="http://10.211.160.172:5061" target="_blank">10.211.160.172:5061</a>]<br>
method = TLSv1+<br>
verify_certificate = yes<br>
require_certificate = yes<br>
private_key =
/root/mahesh_openssl/profile2/btip_172_server_private.key<br>
certificate =
/root/mahesh_openssl/profile2/btip_172_server_public.crt<br>
ca_list =
/root/mahesh_openssl/profile2/btip_ca_public.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
server_name = <a href="http://btip.172.com" target="_blank">btip.172.com</a><br>
<br>
<br>
[server:<a href="http://10.211.160.172:5061" target="_blank">10.211.160.172:5061</a>]<br>
method = TLSv1+<br>
verify_certificate = yes<br>
require_certificate = yes<br>
private_key =
/root/mahesh_openssl/profile1/ctip_172_server_private.key<br>
certificate =
/root/mahesh_openssl/profile1/ctip_172_server_public.crt<br>
ca_list =
/root/mahesh_openssl/profile1/ctip_ca_public.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
server_name = <a href="http://ctip.172.com" target="_blank">ctip.172.com</a><br>
</div>
<div><br>
</div>
<div>My Kamailio server ip is 10.211.160.172</div>
<div><br>
</div>
<div>i)When i initiate a tls connection from remote
server(which is also a kamailio server) say
10.211.160.176 to 10.211.160.172 </div>
<div> In the client hello am setting sni name as <a href="http://btip.172.com" target="_blank">btip.172.com</a> => so on
10.211.160.172 side it is picking up the server
profile with serve_name <a href="http://btip.172.com" target="_blank">btip.172.com</a>
for the tls handshake.<b>// Working as expected</b></div>
<div><br>
</div>
<div>ii)When i initiate a tls connection from another
remote server(Which is also a kamailio server) say
10.211.160.163 to 10.211.160.172</div>
<div> In the client hello am setting sni name as <a href="http://ctip.172.com" target="_blank">ctip.172.com</a> => so on
10.211.160.172 side it is picking up the server
profile with serve_name <a href="http://ctip.172.com" target="_blank">ctip.172.com</a>
for the tls handshake.<b>// Working as expected</b></div>
<div><br>
</div>
<div>
<div>iii)When i initiate a tls connection from another
remote server(Which is also a kamailio server) say
10.211.160.175 to 10.211.160.172</div>
<div> In the client hello am NOT setting sni name
=> so on 10.211.160.172 side should it pick up
the server default profile or the first profile to
which IP and port matches ?</div>
</div>
<div> what i observe from logs is that it is picking up
the server profile with server_name <a href="http://ctip.172.com" target="_blank">ctip.172.com</a> for the tls
handshake.</div>
<div><br>
</div>
<div><br>
</div>
<div> I had a look at the code in
function tls_lookup_cfg, from the debug prints i
understand it is trying to match profile for IP and
port</div>
<div><br>
</div>
<div>if ((p->port==0 || p->port == port)
&& ip_addr_cmp(&p->ip, ip))<b> // IP
and port matched</b></div>
<div>{<br>
if(sname && sname->len>0) <b>//Incoming
Client hello dint have sname, so it will hit the
else part</b></div>
<div> {<br>
if(p->server_name.s &&
p->server_name.len==sname->len<br>
&&
strncasecmp(p->server_name.s, sname->s,
sname->len)==0) </div>
<div> {<br>
LM_DBG("socket+server_name based TLS
server domain found\n");<br>
return p;<br>
}<br>
} </div>
<div> else</div>
<div> {<br>
return p; <b>// so it is returning the first
profile to which IP and port matched.</b><br>
}<br>
}<br>
<br>
</div>
<div><br>
</div>
<div>Am i missing anything or is this a bug ? if in the
clienthello there is no sni , what needs to be done to
make use of the default profile for the tls handshake
? Or is this something fixed in latest.</div>
<div>I just Tried and Modified the code as below, after
which it is giving the server default profile when no
sni in Incoming Client Hello.</div>
<div><br>
</div>
<div>
<div>if ((p->port==0 || p->port == port)
&& ip_addr_cmp(&p->ip, ip)) </div>
<div>{<br>
if(sname && sname->len>0) </div>
<div> {<br>
if(p->server_name.s &&
p->server_name.len==sname->len<br>
&&
strncasecmp(p->server_name.s, sname->s,
sname->len)==0) </div>
<div> {<br>
LM_DBG("socket+server_name based
TLS server domain found\n");<br>
return p;<br>
}<br>
} </div>
<div> else</div>
<div> {<br>
if( (type & TLS_DOMAIN_SRV)
&& (p->server_name.s) ) </div>
<div> {<br>
LM_DBG("Inside %s at
%d\n",__FUNCTION__,__LINE__);<br>
return cfg->srv_default;<br>
} </div>
<div> else </div>
<div> {<br>
LM_DBG("Inside %s at
%d\n",__FUNCTION__,__LINE__);<br>
return p;<br>
}<br>
}<br>
}</div>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Mahesh.B</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
Kamailio (SER) - Users Mailing List
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio World Conference - April 27-29, 2020, in Berlin -- <a href="http://www.kamailioworld.com" target="_blank">www.kamailioworld.com</a></pre>
</div>
</blockquote>
</div>
</blockquote>
<pre cols="72">--
Daniel-Constantin Mierla -- <a href="http://www.asipto.com" target="_blank">www.asipto.com</a>
<a href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio World Conference - April 27-29, 2020, in Berlin -- <a href="http://www.kamailioworld.com" target="_blank">www.kamailioworld.com</a></pre>
</div>
</blockquote></div>